Created attachment 13621[details]
Proposed patch for master (needs bugID adding).
From "Lutz Justen" <ljusten@google.com>
The patches make sure that the order of GPOs in
net ads gpo list matches the expected application order:
- Local first, then site GPOs, then domain GPOs, then OU GPOs.
- Domains and OUs: parent-to-child. - GPOs within same domain/OU: Link
order.
- Enforced GPOs are applied last, so they override all non-enforced GPOs.
I don't know if net ads gpo list was supposed to list GPOs in the proper
order, but our code depends on it. I didn't see any other place outside of
ads_get_gpo_list where Samba is making sure that GPOs are applied in the
right order.

Comment on attachment 13621[details]
Proposed patch for master (needs bugID adding).
Patch is bad. As Lutz pointed out:
Concerning your patch, I've found an issue:
This loop will iterate forever since i is unsigned, so i-- will wrap to (uint32_t)-1 once it reaches 0:
uint32_t i;
for (i = gp_link->num_links - 1; i >= 0; i--) {
Thus, i needs to be int and num_links has to be casted to int, anyway, and the check for num_links==0 is unnecessary. Other than that, it looks OK.